DEC. 1 2. 2005 11:18AM ZILKA-KOTAB, PC 

-2- 



NO. 1219 P. 5 



IN THE CLAIMS 
Amended claims follow: 

1 . (Currently Amended) A method for detecting a denial-of-service attack using an 
execution profile for a kernel of a server computer system, comprising: 

producing a run-time execution profile by gathering statistics related to execution 
of a protocol stack within the kernel of the server, 

wherein the protocol stack processes packets received from client computer 
systems; 

comparing the run-time execution profile with a normal execution profile for the 
kernel of the server, 

wherein the normal execution profile is representative of execution when the 
server is not subject to a denial-of-service attack; and 

indicating that a denial-of-service attack is taking place if the run-time execution 
profile deviates from the normal execution profile; 

wherein producing the run-time execution profile involves gathering statistics 
regarding a fraction of time that the server spends executing one_or more portions of code 
related to the protocol stack . 

2. (Cancelled) 

3. (Currently Amended) The method of claim [2]i, wherein producing the run-time 
execution profile involves producing a vector indicating a number of times that the server 
is found to be executing the one or more portions of code related to the protocol stack, 

4. (Currently Amended) The method of claim [2]i, wherein the one or more portions 
of code related to the protocol stack include: 

a portion related to processing TCP SYN requests; 
a portion related to processing TCP ACKs; 
a portion related to processing TCP data; 
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a portion related to processing ICMP echo requests; and 
a portion that is unrelated to the protocol stack. 

5 . (Original) The method of claim 1 } further comprising producing the normal 
execution profile by gathering statistics related to execution of the server when the server 
is not subject to a denial-of-service attack, 

6. (Original) The method of claim 1 , wherein if a denial-of-service attack is 
detected, the method further comprises blocking offending packets from reaching the 
server. 

7. (Original) The method of claim 1 , wherein producing the run-time execution 
profile involves gathering statistics over a first time window, and subsequently gathering 
statistics for a subsequent run-time execution profile over a second time window, 

8. (Original) The method of claim 7, further comprising gathering statistics for a 
concurrent execution profile over a concurrent time window that overlaps the first time 
window and the second time window, so that a denial-of service attack that overlaps the 
first time window and the second time window can be detected in the concurrent time 
window. 

9. (Original) The method of claim 1, wherein comparing the run-time execution 
profile with the normal execution profile involves determining if the run-time execution 
profile deviates more than a pre-specified amount from the normal execution profile. 

10. (Currently Amended) A computer-readable storage medium storing instructions 
that when executed by a computer cause the computer to perform a method for detecting 
a denial-of-service attack using an execution profile for a kernel of a server computer 
system, the method comprising: 

producing a run-time execution profile by gathering statistics related to execution 
of a protocol stack within the kernel of the server. 
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wherein the protocol stack processes packets received from client computer 
systems; 

comparing the run-time execution profile with a normal execution profile for the 
kernel of the server; 

wherein the normal execution profile is representative of execution when the 
server is not subject to a denial-of-service attack; and 

indicating that a denial-of-service attack is taking place if the run-time execution 
profile deviates from the normal execution profile; 

wherein producing the run-time execution profile involves gathering statistics 
regarding a fraction of time that the server spends executing one or more portions code 
related to the protocol stack . 

11. (Cancelled) 

12. (Currently Amended) The computer-readable storage medium of claim [1 1 110, 
wherein producing the run-time execution profile involves producing a vector indicating 
a number of times that the server is found to he executing the one or more portions of 
code related to the protocol stack. 

13. (Currently Amended) The computer-readable storage medium of claim [ 1 1 ]IQ > 
wherein the one or more portions of code related to the protocol stack include: 

a portion related to processing TCP SYN requests; 

a portion related to processing TCP ACKs; 

a portion related to processing TCP data; 

a portion related to processing ICMP echo requests; and 

a portion that is unrelated to the protocol stack, 

14. (Original) The computer-readable storage medium of claim 1 0, wherein the 
method further comprises producing the normal execution profile by gathering statistics 
related to execution of the server when the server is not subject to a denial-of-service 
attack. 
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1 5 . (Original) The computer-readable storage medium of claim 1 0, wherein if a 
denial-of-service attack is detected, the method further comprises blocking offending 
packets from reaching the server. 

1 6. (Original) The computer-readable storage medium of claim 1 0, wherein 
producing the run-time execution profile involves gathering statistics over a first time 
window, and subsequently gathering statistics for a subsequent run-time execution profile 
over a second time window. 

1 7. (Original) The computer-readable storage medium of claim 1 6 5 wherein the 
method further comprises gathering statistics for a concurrent execution profile over a 
concurrent time window that overlaps the first time window and the second time window, 
so that a deniai-of service attack that overlaps the first time window and the second time 
window can be detected in the concurrent time window. 

1 8. (Original) The computer-readable storage medium of claim 1 0, wherein 
comparing the run-time execution profile with the normal execution profile involves 
determining if the run-time execution profile deviates more than a pre-specified amount 
from the normal execution profile. 

1 9. (Currently Amended) A apparatus that detects a denial-of-service attack through 
use of an execution profile for a kernel of a server computer system, comprising: 

a profiling mechanism that is configured to produce a run-time execution profile 
by gathering statistics related to execution of a protocol stack within the kernel of the 
server; 

wherein the protocol stack processes packets received from client computer 
systems; 

a comparison mechanism that is configured to compare the run-time execution 
profile with a normal execution profile for the kernel of the server; 
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wherein the normal execution profile is representative of execution when the 
server is not subject to a denial-of-service attack; and 

wherein the comparison mechanism is configured to indicate that a denial-of- 
service attack is taking place if the run-time execution profile deviates from the normal 
execution profile; 

wherein the profiling mechanism is configured to gather statistics regarding a 
fraction of time that the server spends executing one or more portions code related to the 
protocol stack . 

20. (Cancelled) 

2 1 . (Currently Amended) The apparatus of claim [20] 19, wherein the profiling 
mechanism is configured to produce a vector indicating a number of times that the server 
is found to be executing the one or more portions of code related to the protocol stack. 

22. (Currently Amended) The apparatus of claim [20J19, wherein the one or more 
portions of code related to the protocol stack include: 

a portion related to processing TCP SYN requests; 

a portion related to processing TCP ACKs; 

a portion related to processing TCP data; 

a portion related to processing ICMP echo requests; and 

a portion that is unrelated to the protocol stack. 

23. (Original) The apparatus of claim 19, wherein the profiling mechanism is 
additionally configured to produce the normal execution profile by gathering statistics 
related to execution of the server when the server is not subject to a denial-of-service 
attack. 

24. (Original) The apparatus of claim 19, further comprising a blocking mechanism 
that is configured to block offending packets from reaching the server if a denial-of- 
service attack is detected. 
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25. (Original) The apparatus of claim 19, wherein while producing the run-time 
execution profile, the profiling mechanism is configured to gather statistics over a first 
time window, and to subsequently gather statistics for a subsequent ma-time execution 
profile over a second time window. 

26. (Original) The apparatus of claim 25, wherein the profiling mechanism is 
additionally configured to gather statistics for a concurrent execution profile over a 
concurrent time window that overlaps the first time window and the second time window, 
so that a denial-of service attack that overlaps the first time window and the second time 
window can be detected in the concurrent time window. 

27- (Original) The apparatus of claim 1 9, wherein the comparison mechanism is 
configured to determine if the run-time execution profile deviates more than a pro- 
specified amount from the normal execution profile. 

28. (New) The method of claim 1, wherein the protocol stack includes a datalink 
layer, an Internet Protocol layer, a Transmission Control Protocol/User Datagram 
Protocol/Internet Control Message Protocol layer and an application layer such that the 
one or more portions of code are associated with each of the layers. 

29. (New) The method of claim 1, wherein producing the normal execution profile 
involves producing a vector indicating a normal number of times that the server is found 
to be executing the one or more portions of code related to the protocol stack 
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